How to build a secure mobile app: 10 tips

First comes the app concept—that’s the easy part. After the stroke of inspiration comes a lot of planning, outlining, and strategizing to make that app dream become reality.

There are a lot of factors that go into app development, and in a world where hacking, data leaks, and cybercrime is more prolific than ever security needs to be at the top of the list when starting a new project.

The last thing any app developer wants is their idea to go bust because of a major security flaw. With proper security planning and strategy it doesn’t need to, though. Here are 10 tips to ensure your mobile app hits the ground securely.

1. Incorporate the security team from day one

Security should be part of the mobile development process from the first time the dev team sits down together. Whether you’re SWOTting, Scrumming, using DevOps, Rapid, or Agile it makes no difference: Include security so every change incorporates it.

When a change is made or a major revision is planned, always consult the security team so they know how to account for any issues that may arise.

2. Test, test, and retest

As reported on TechRepublic last year, 60% of developers lack confidence in the security of their code, yet don’t take steps to fix it. The problem, as NodeSource and Sqreen mentioned in their report, is partially due to testing—lots of developers just aren’t doing it.

QA is an important part of building secure code, and like security as a general concept, it shouldn’t simply be tacked on to the end of the process. Review code constantly and identify every potential security hole you can find, then fix it before it ends up live.

SEE: Software quality control policy (Tech Pro Research)

The biggest concern that developers have, according to the report mentioned above, isn’t actually due to lack of testing: It’s due to something else entirely, particularly the problems inherent in third-party dependencies.

3. Don’t assume the safety of third-party dependencies

It’s common for developers to incorporate portions of code available freely or for sale from other sources: Why reinvent the wheel when it already works fine as-is?

Third-party code isn’t always safe, and according to the NodeSource/Sqreen survey cited above, only 16% of developers trust the third-party dependencies they use. 40% skip review for those third-party components, though.

Don’t be one of those programmers. Thoroughly pick apart your third-party modules to be sure they’re safe.

4. Careful with that API

APIs are an essential part of backend programming, but they’re also a security headache since they often need to face the outside world. Be sure that the APIs you’re using are verified for the platform you’re developing on.

Be sure to also incorporate an API gateway as discussed in this TechRepublic piece.

5. Think like an attacker

When you’re writing code, think about it like an attacker: Could you exploit this? What may seem like a minor issue not worth addressing could be a vulnerability a hacker could use to attack your application.

Code reviews should always include some time spent looking for ways to break the app. Don’t stop at obvious flaws either, some attacks are so inconceivable that you should be testing, and accounting for, everything. That goes double for mobile devices, which are subject to a wide variety of environmental variables.

6. Eliminate attack vectors by minimizing permissions

Zero-trust security is one of the fastest growing security methods, and with good reason: It assumes no one, and nothing, on a network is secure. As such, only the barest permissions are granted to a user or a machine, and only as needed.

Your mobile app should be designed the same way. If it doesn’t need access to the camera, or contacts, or the dialer, don’t ask for it. If it doesn’t need a constant connection, don’t program it with one.

Each permission an app needs is another connection it has. The best fortified castles only have a single entrance—think of your app like a castle and eliminate all those secret exits and hidden passageways.

7. Be mindful of what’s being stored on a device

Personal data stored by an app is ripe for the plucking—get rid of it, or move it to a secure location on the device. If you have to store sensitive or personally identifyable information on a user’s device, encrypt it.

If sensitive data is used by your app there’s going to have to be a compromise somewhere: Either it’s going to be on-device or on your servers, and both are a risk. As part of developing your app, take time to determine the best place for user data, both for the user’s sake and from a security standpoint.

8. Secure data transmission

VPNs, SSL, and TLS can all help secure data in transit, as can encrypting it between sender and receiver. Find a way to ensure your app is transmitting and receiving data securely so it can’t be intercepted or spoofed.

9. Use tokens to handle sessions

Tokens are the de facto way to handle user logins in the modern app world, and you should use them to better manage user sessions. Not only can they be easily revoked to ensure user security, but they’re also more user-friendly, which is always a plus for an app.

OAuth2, JSON Web Tokens, and OpenID Connect are all great methods for securing, and simplifying, user logins.

10. Implement tamper protection

More of a problem for Android apps, which are easily decompiled, tamper protection is a must-have for security. Copycat apps have appeared in Google Play and fooled millions of users, and you don’t want your app to be one of them.

There are a number of different ways to tamper-protect an Android app, so implement one of them, or preferably more, to protect your users and your reputation as a trustworthy app choice.